Financial Conduct Authority's Dear CEO Letter: UK Cloud Summit Recap, Part 2
We’re back for Part Two of our UK Cloud Summit seminar recap. Last week on Hedge IT, we explored connecting to the cloud. In today's article, we will dive into the most talked about UK regulation: the Financial Conduct Authority’s (FCA) Dear CEO letter. We will cover how the letter affects IT outsourcing and the steps firms can take to mitigate service provider risk and adhere to the Dear CEO letter guidance.
The “Dear CEO” letter was issued in December 2012 to all UK asset managers and expressed concern about the endemic outsourcing risk in the sector, particular around asset managers having effective business continuity plans (BCP) and exit strategies in place with their service providers in the event of service provider failure.
Since the letter was issued, the FCA has asked firms that they demonstrate they have a clear handle on what they outsource and why, a full understanding of the potential impacts of failure, and contingency plans that are viable, robust, and realistic.
The UK regulator's primary focus to date has been on asset managers outsourcing middle and back office functions to service providers, but this could soon be extended to IT service providers, too, since a large number of firms are outsourcing a substantial amount of their technology to IT providers.
Both regulators and investors want to see managers conduct rigorous operational due diligence on their service providers. Below is a list of outsourced risks, failure assessments and mitigation approaches for asset managers:
Sourcing Strategy: Firms should articulate a clear and concise sourcing strategy and this should include their contingency approach
Service Provider Exposure: Firms must know their overall exposure to providers
Impact Assessment: The business impacts of a provider failure must be understood and firms must have responses to failure prepared
Contingency Planning: Firms must have a defined contingency plan
Service Provider Selection Criteria: Firms must evaluate if the provider maintains contingency plans or disaster recovery plans
Contract Review: Contracts may well need revision to update exit terms and provide for exit plans for potential failure situations
Risk Monitoring: Establishing a set of forward looking financial and non-financial indicators (KRIs) and trigger points will be a useful adjunct to existing service indicators (KPIs) and help provide early warning of possible failure or disruption
- Answering the FCA's Dear CEO Letter on Outsourcing
- Considerations for evaluating outsourced IT provider